This function will convert a integer entry in the fieldname given by infield (if exists) to a ISO-8601 formatted value (i.e. variants of 24 13:45:56 - where "24" is the number of days), and put the result into a field name given in outfield.
As of version 4.2 of Splunk, the various use of strftime() is unfortunately epoch based, thus they are not suitable to give you a correct time representation of a given number of seconds.
|metadata type=sources |eval LastSeen=now()-recentTime | sec2time infield=LastSeen outfield=LastSeen | rename totalCount as Count recentTime as "Last Update" LastSeen as "Last Seen" | table source Count "Last Update" "Last Seen" | fieldformat "Last Update"=strftime('Last Update', "%Y-%m-%d %T")
The latest version of this code is found at https://github.com/RubenOlsen/splunkcommands
This is also the place where you can report bugs.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.